Re: [TLS] Single round trip abbreviated handshake

Adam Langley <agl@google.com> Wed, 03 February 2010 12:39 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4BAC03A6915 for <tls@core3.amsl.com>; Wed, 3 Feb 2010 04:39:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.777
X-Spam-Level:
X-Spam-Status: No, score=-102.777 tagged_above=-999 required=5 tests=[AWL=-0.800, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I+V7RXkgpMl2 for <tls@core3.amsl.com>; Wed, 3 Feb 2010 04:39:24 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 7C5F33A680C for <tls@ietf.org>; Wed, 3 Feb 2010 04:39:24 -0800 (PST)
Received: from spaceape23.eur.corp.google.com (spaceape23.eur.corp.google.com [172.28.16.75]) by smtp-out.google.com with ESMTP id o13Ce5YI013172 for <tls@ietf.org>; Wed, 3 Feb 2010 04:40:05 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1265200806; bh=SDJH5qNBAJa38A5C/gvgHhGN+58=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=p3DDjm+p+c2IdN23Sit5T7u5PvVF2PQWL/HJRL8Vtw8ftQ9czhYgeh0bkbHlA7XM/ GEruO6KB3vNUnhjYvcgRg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=kRt6E8EzLdL48GD5GVaKw943YM85IzlQCnNbNYdPfFDQ72ov0ZK0cF8RdEaryTtsn MxgTFMpe9OstUbL+2NjxA==
Received: from pxi37 (pxi37.prod.google.com [10.243.27.37]) by spaceape23.eur.corp.google.com with ESMTP id o13CdfxZ009637 for <tls@ietf.org>; Wed, 3 Feb 2010 04:40:04 -0800
Received: by pxi37 with SMTP id 37so1371565pxi.9 for <tls@ietf.org>; Wed, 03 Feb 2010 04:40:03 -0800 (PST)
MIME-Version: 1.0
Received: by 10.142.56.1 with SMTP id e1mr4958641wfa.283.1265200803621; Wed, 03 Feb 2010 04:40:03 -0800 (PST)
In-Reply-To: <3561bdcc1002030424xfe799c5he2b146a8347d688b@mail.gmail.com>
References: <3561bdcc1002022012s2867aac2vaa154013b62e8489@mail.gmail.com> <a84d7bc61002030340l43de0f6cw2b92b5ab39d82b7f@mail.gmail.com> <3561bdcc1002030424xfe799c5he2b146a8347d688b@mail.gmail.com>
Date: Wed, 3 Feb 2010 07:40:03 -0500
Message-ID: <a84d7bc61002030440t39d4c9c6r891bac70fe5fd568@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: Ravi Ganesan <ravi@findravi.com>
Content-Type: text/plain; charset=UTF-8
X-System-Of-Record: true
Cc: tls@ietf.org
Subject: Re: [TLS] Single round trip abbreviated handshake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2010 12:39:25 -0000

On Wed, Feb 3, 2010 at 7:24 AM, Ravi Ganesan <ravi@findravi.com>; wrote:
> Question: Restricting analysis to abbreviated handshake, would it not
> be the case that the session_ids and corresponding master secrets for
> exisiting session would be separate in the two clusters? i.e. unless
> you allow me to do full handshake in cluster 1 and resume it in
> cluster 2. If you do not then does this not prevent replay from one
> cluster to the other?

Although you can probably probe different Google frontend clusters to
find this stuff out, I'm going to shy away from talking about the
specifics of Google's serving infrastructure.

Keeping things general:

Session IDs need some kind of server-side storage and SessionTickets
contain arbitary server controlled data, so both could contain an
epoch number that the server uses internally when validating an nonce
for uniqueness.

So, if these schemes were to be coupled (resumption and client
supplied nonces), then the need for the client to handle the epoch
could be removed.


AGL